On Wed, 2014-01-15 at 14:02 +0000, Luis Henriques wrote: > Hi, > > Please consider including the following commit in 2.6.32 and 3.8 stable > kernels (all the others already have it), as it fixes CVE-2013-6380: > > commit b4789b8e6be3151a955ade74872822f30e8cd914
Thanks Luis -- queuing it up for 3.8-stable. -Kamal > Author: Mahesh Rajashekhara <[email protected]> > Date: Thu Oct 31 14:01:02 2013 +0530 > > aacraid: prevent invalid pointer dereference > > It appears that driver runs into a problem here if fibsize is too small > because we allocate user_srbcmd with fibsize size only but later we > access it until user_srbcmd->sg.count to copy it over to srbcmd. > > It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this > structure already includes one sg element and this is not needed for > commands without data. So, we would recommend to add the following > (instead of test for fibsize == 0). > > Signed-off-by: Mahesh Rajashekhara <[email protected]> > Reported-by: Nico Golde <[email protected]> > Reported-by: Fabian Yamaguchi <[email protected]> > Signed-off-by: Linus Torvalds <[email protected]> > > Cheers, > -- > Luis
signature.asc
Description: This is a digitally signed message part
